5

I have set up a Kerberos server and OpenLDAP in RHEL5.5. I also have a RHEL6 machine as a client. I have run my Java program using jaas to query the OpenLDAP server from the Linux client.

I can query the OpenLDAP server if I copy the client's keytab to the client machine and use the following configuration options:

principal=wpingli
useKeyTab=true
keyTab="/home/wpingli/ker/java/wpingli_new.keytab";

I also can query the OpenLDAP server if I am prompted to input the user/password. This leads me to believe that my environment is OK.

However, I'm unable to query the server if I run my Java program after kinit:

klist
[wpingli@pli java]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [email protected]
Valid starting Expires Service principal
10/20/11 16:18:06 10/21/11 16:18:02 krbtgt/[email protected]

jaas configuration
GssExampleSUN{
com.sun.security.auth.module.Krb5LoginModule required
client=true
debug=true
doNotPrompt=true
useTicketCache=true
ticketCache="/tmp/krb5cc_500";
};

Exception:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is /tmp/krb5cc_500 isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is null
**null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain Princpal Name for authentication
Authentication attempt failedjavax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication**

How can I fix this?

Improve this question
5
  • Have you tried using this system property: -Djavax.security.auth.useSubjectCredsOnly=false ? Does it work if you specify the principal name explicitly in the configuration (principal="[email protected]")? Commented Oct 21, 2011 at 1:35
  • Thanks for your quick reply. I agree with you that I need to using the system property. But it failed with the same error. The principal option does not work as well. Commented Oct 21, 2011 at 2:35
  • If specifying the principal, the error will be "Unable to obtain password from user" Commented Oct 21, 2011 at 2:38
  • You might get more debugging information using these: -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true Commented Oct 21, 2011 at 12:32
  • It reports the encryption type is not supported.(unsupported key type found the default TGT: 18) >>>DEBUG <CCacheInputStream> server principal is krbtgt/[email protected] >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Mon Oct 24 10:26:30 CST 2011 >>>DEBUG <CCacheInputStream> start time: Mon Oct 24 10:26:30 CST 2011 >>>DEBUG <CCacheInputStream> end time: Tue Oct 25 10:26:30 CST 2011 >>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; >>>DEBUG <CCacheInputStream> >>> unsupported key type found the default TGT: 18 Commented Oct 24, 2011 at 2:51

1 Answer 1

Reset to default
5

Java doesn't necessarily support all encryption types supported by (presumably MIT) kinit (libkrb5).

It's possible to configure the encryption types used by libkrb5 in the krb5.conf file (usually in /etc). For example (not necessarily the most secure ones):

# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5

# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5

# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5

Which encryption types are supported will depend on the JRE vendor/version and its security providers.

Here is a link to the documentation for Java 6 (Oracle JRE):

Improve this answer
2
  • Thanks Bruno. Everything works well now. sun jdk and Jrockit have the same security provider while IBM uses its own. Commented Oct 24, 2011 at 3:36
  • Thanks. In my case adding the JCE unlimited strength policy jar files to my java installation did the trick. Commented Apr 30, 2015 at 9:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.